Jump to content

Repetitive error reports in MBAMSERVICE.LOG


Recommended Posts

Malwarebytes Version information
==================================
   "controllers_version" : "1.0.421",
   "db_version" : "2018.08.21.06",
   "dbcls_pkg_version" : "1.0.6441",
   "installer_version" : "3.5.1",

I was about to gather information in order to query what appear to be repetitive uploads of whitelisted false positive ransomware (the subject of a future topic) when I discovered the following error messages have been filling the log files. Here is a sample:

Begin Quote.

08/21/18    " 14:56:03.144"    7592989    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.144"    7592989    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.144"    7592989    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.144"    7592989    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.144"    7592989    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.144"    7592989    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.145"    7592989    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.145"    7592989    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.145"    7592989    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.145"    7592989    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.145"    7592989    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.146"    7593005    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.146"    7593005    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.146"    7593005    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"
08/21/18    " 14:56:03.146"    7593005    121c    17cc    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/21/18    " 14:56:03.146"    7593005    121c    17cc    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f2)"

End Quote

I traced back to their first appearence:

Begin Quote.

08/19/18    " 01:17:59.499"    43935996    05d8    3f70    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/19/18    " 01:17:59.499"    43935996    05d8    3f70    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f3)"
08/19/18    " 01:17:59.499"    43935996    05d8    3f70    ERROR    MBAMProtection    BuildWin32FileName    "util.c"    133    "No FinalComponent in path"
08/19/18    " 01:17:59.500"    43935996    05d8    3f70    ERROR    MBAMProtection    WorkItemCallback    "filter.c"    223    "Unknown volume (\Device\000000f3)"

End Quote.

The preceding entries appear to reflect a Malwarebytes update.

Suggestions?

 

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

We added some enhanced logging into this latest release which will show quite a bit more data, some of these errors aren't necessarily program errors, but rather internal errors that can safely be ignored. That being said, if you can provide the logs requested above, it will give us a better idea of what's going on to make sure this isn't something we need to address.

Link to post
Share on other sites

5 hours ago, dcollins said:

Thanks, we've been able to replicate this with Boxcryptor and will file a defect for it

Great! While I'm here and this should really be under a separate topic but the evidence should be in the same logs you already have.  I've recently noticed periodic outgoing transmit activity associated with MBAMservice.exe. The logs appear to suggest Malwarebytes ransomware component while detecting items that have been whitelisted (by Malwarebytes, not the user) still sends copies back to your servers. In my case, this means the same two whitelisted executables are being sent to your servers multiple times every day. It's an issue because I keep seeing significant transmit activity when there shouldn't be any.

Link to post
Share on other sites

9 hours ago, dcollins said:

We did have some issues with the last component update that caused some excessive data to be sent to our servers, but this should have been fixed in the latest version you installed on 8/19. Have you noticed that spike in data being sent since then?

About every 15 minutes or so MBAMService.exe sends a couple of MB to an Amazon AWS address e.g ec2-54-69-202-72.us-west-2.compute.amazonaws.com:443. The address varies. I'll try to organise a cumulative log but I don't have an appropriate tool to hand; once upon a time you could access detailed user-friendly logs but everything is dumbed down these days! Assuming this is the same issue, prior to the issue that is the subject of this topic, I had been able to correlate the transmissions with MBAMService log entries reporting re-transmitting whitelisted 'ransomware'. Since the 'multiple error notifications' issue appeared I am unable to locate any record of the transmissions, at least in the MB plain text logs.

Link to post
Share on other sites

In Malwarebytes, can you go to Settings -> Application and turn on Event Log Data. This turns on debug logging. Then wait for the next data transmission to happen, and gather a new set of logs using the Support Tool like you did before. Please PM me those logs again and I'll take a look at what's going on. These logs should show us what's being sent up and why.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.